CVE-2026-21695 affects Titra, an open-source project time tracking software developed by kromitgmbh. The vulnerability is a Mass Assignment flaw categorized under CWE-915, which involves improper control over modification of dynamically-determined object attributes. Specifically, in Titra versions prior to 0.99.50, an API endpoint accepts a customfields parameter that is expected to be an Object. This parameter is merged into the database document using the JavaScript spread operator (...customfields) without validating the keys inside the object. Although the type of customfields is checked, there is no whitelist or restriction on which keys can be included. This allows authenticated users to inject or overwrite sensitive fields such as userId, hours, and state within time entries, effectively bypassing business logic constraints designed to protect data integrity. The vulnerability requires the attacker to be authenticated but does not require additional user interaction. The flaw could lead to unauthorized modification of time tracking records, potentially affecting billing, payroll, or project management processes. The issue was addressed and fixed in Titra version 0.99.50 by implementing proper validation and restrictions on the customfields keys. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the limited impact on confidentiality and availability but notable impact on integrity, with low attack complexity and requiring privileges.

For European organizations using Titra versions below 0.99.50, this vulnerability poses a risk to the integrity of time tracking data. Attackers with valid credentials can manipulate critical fields such as userId, hours worked, and state of time entries, potentially leading to inaccurate billing, payroll errors, project mismanagement, and compliance issues. This could result in financial losses, internal disputes, and regulatory scrutiny, especially under strict European data protection and labor laws. While the vulnerability does not directly impact confidentiality or availability, the integrity compromise can undermine trust in operational data and reporting. Organizations relying on Titra for time tracking in sectors like consulting, legal, or engineering services—where accurate time records are essential—may face significant operational disruption. The requirement for authentication limits exposure to insider threats or compromised accounts, but the ease of exploitation once authenticated makes it critical to address. No known exploits in the wild reduce immediate risk, but the presence of a public CVE and source code availability could facilitate future attacks.

European organizations should immediately upgrade Titra installations to version 0.99.50 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, implement strict access controls to limit who can authenticate and access the vulnerable API endpoints. Monitor logs for unusual modifications to time entries, especially changes to userId, hours, or state fields. Employ application-layer firewalls or API gateways to inspect and restrict payloads containing unexpected keys in the customfields parameter. Conduct regular audits of time tracking data to detect anomalies indicative of manipulation. Additionally, enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised credentials being used to exploit this vulnerability. Educate users about the importance of credential security and monitor for insider threats. Finally, consider isolating the time tracking system within segmented network zones to limit lateral movement if an attacker gains access.